Holiday Online Cybersecurity

“By following a few guiding principles like checking your devices, shopping from trusted sources, using safe purchasing methods, and following basic cyber hygiene like multi-factor authentication, you can drastically improve your online safety when shopping online for gifts this year. Your cyber safety should be treated like your physical safety. Stay vigilant, take steps protect yourself, and trust your instincts. If you see something that doesn’t look right, there’s a good chance it isn’t.” ~ Jen Easterly, Director, Cybersecurity and Infrastructure Security Agency (CISA)

It’s imperative that Americans stay safe online this holiday season. In the coming weeks, millions of Americans will be looking for the best deals on the internet. Meanwhile, cyber criminals will be hard at work looking to target online shoppers. 

The holiday shopping season is a prime opportunity for bad actors to take advantage of unsuspecting shoppers through fake websites, malicious links, and even fake charities.

Their goal is simple: get your personal and financial information to compromise your data, deploy malicious software, steal your identity, and take your money. But with some simple actions, you can stay safe while you shop online.

The Cybersecurity and Infrastructure Security Agency (CISA) is committed to helping Americans better protect themselves online. This holiday shopping season, they want to provide a few easy steps to prevent you from becoming a victim of cyber-crime.  

Using strong passwords, updating your software, thinking before you click on suspicious links, and turning on multi-factor authentication are the basics of what they call “cyber hygiene” and will drastically improve your online safety.  

Here are the 4 common sense ways to protect yourself online:

  • Implement multi-factor authentication (MFA) on your accounts and make it much less likely you’ll get hacked. Multi-factor authentication (or two-factor authentication), uses multiple pieces of information to verify your identity. Even if an attacker obtains your password, they may not be able to access your account if it’s protected by this multiple step verification process.  
  • Update your software. In fact, turn on automatic updates.  
  • Think before you click. Most successful cyber-attacks start with a phishing email.  
  • Use strong passwords, and ideally a password manager to generate and store unique passwords. 

Before making any online purchases, make sure the device you’re using to shop online is up-to-date. Next, take a look at your accounts and ask, do they each have strong passwords? And even better, if multi-factor authentication is available, are you using it?  

Before providing any personal or financial information, make sure that you are interacting with a reputable, established vendor.

Some attackers may try to trick you by creating malicious websites that appear to be legitimate. Always verify the legitimacy before supplying any information. If you’ve never heard of it before, check twice before handing over your information.


References:

  1. https://www.cisa.gov/shop-safely
  2. https://www.cisa.gov/news/2022/11/23/cisa-reminds-online-shoppers-stay-vigilant-cyber-threats-holiday-season

10 Cyber Security Tips for Small Business

Information technology and high-speed Internet are great enablers of small business success, but with the benefits comes the need to guard against growing cyber threats, thefts, malware, ransomware and scams. ~ Federal Communications Commission (FCC)

The Internet allows small businesses to reach new and larger markets and provides opportunities to work more efficiently by using computer-based tools.

Whether a company is thinking of adopting cloud computing or just using email and maintaining a website, cybersecurity should be a priority and part of the plan.

Theft of digital information has become the most commonly reported fraud, surpassing physical theft.

Every business that uses the Internet is responsible for and must implement measures to create a culture of security that will enhance business and consumer confidence. This starts with creating a cyber plan.

In short, small businesses want to keep their cyber infrastructure running and their critical assets secure from cyber criminals. However, the chaos of rapidly changing technology and evolving cyber threats can create frustrating obstacles to your business—or introduce new growth opportunities!

Based on what your business wants to achieve in cyber security, there are best practices you should be doing to increase your chances of success. There are several security practices rank most effective, and which are making the making difference.

10 Cyber Security Tips for Small Business

Broadband and information technology are powerful factors in small businesses reaching new markets and increasing productivity and efficiency. However, businesses need a cybersecurity strategy to protect their own business, their customers, and their data from growing cybersecurity threats.

1. Train employees in security principles

Establish basic security practices and policies for employees, such as requiring strong passwords, and establish appropriate Internet use guidelines that detail penalties for violating company cybersecurity policies. Establish rules of behavior describing how to handle and protect customer information and other vital data.

2. Protect information, computers, and networks from cyber attacks

Keep clean machines: having the latest security software, web browser, and operating system are the best defenses against viruses, malware, and other online threats. Set antivirus software to run a scan after each update. Install other key software updates as soon as they are available.

3. Provide firewall security for your Internet connection

A firewall is a set of related programs that prevent outsiders from accessing data on a private network. Make sure the operating system’s firewall is enabled or install free firewall software available online. If employees work from home, ensure that their home system(s) are protected by a firewall.

4. Create a mobile device action plan

Mobile devices can create significant security and management challenges, especially if they hold confidential information or can access the corporate network. Require users to password-protect their devices, encrypt their data, and install security apps to prevent criminals from stealing information while the phone is on public networks. Be sure to set reporting procedures for lost or stolen equipment.

5. Make backup copies of important business data and information

Regularly backup the data on all computers. Critical data includes word processing documents, electronic spreadsheets, databases, financial files, human resources files, and accounts receivable/payable files. Backup data automatically if possible, or at least weekly and store the copies either offsite or in the cloud.

6. Control physical access to your computers and create user accounts for each employee

Prevent access or use of business computers by unauthorized individuals. Laptops can be particularly easy targets for theft or can be lost, so lock them up when unattended. Make sure a separate user account is created for each employee and require strong passwords. Administrative privileges should only be given to trusted IT staff and key personnel.

7. Secure your Wi-Fi networks

If you have a Wi-Fi network for your workplace, make sure it is secure, encrypted, and hidden. To hide your Wi-Fi network, set up your wireless access point or router, so it does not broadcast the network name, known as the Service Set Identifier (SSID). Password protect access to the router.

8. Employ best practices on payment cards

Work with banks or processors to ensure the most trusted and validated tools and anti-fraud services are being used. You may also have additional security obligations pursuant to agreements with your bank or processor. Isolate payment systems from other, less secure programs and don’t use the same computer to process payments and surf the Internet.

9. Limit employee access to data and information, limit authority to install software

Do not provide any one employee with access to all data systems. Employees should only be given access to the specific data systems that they need for their jobs, and should not be able to install any software without permission.

10. Passwords and authentication

Require employees to use unique passwords and change passwords every three months. Consider implementing multi-factor authentication that requires additional information beyond a password to gain entry. Check with your vendors that handle sensitive data, especially financial institutions, to see if they offer multi-factor authentication for your account.

When it comes to cybersecurity, training and transparency are key. All users have a responsibility, and if they embraced their responsibility, security in the cyberspace would be easier to achieve.

If the non-technical managers and leaders understood the impact of good and poor cybersecurity, they would use the cyber assets they have more responsibly. The workforce would be more careful about the devices they introduce to the network.

For more information, please download the cybersecurity tip sheet.


References:

  1. https://www.fcc.gov/cyberplanner
  2. https://apps.fcc.gov/edocs_public/my attachmatch/DOC-306595A1.pdf
  3. https://www.fcc.gov/communications-business-opportunities/cybersecurity-small-businesses

Cyber Threats are Clear and Present

Cybersecurity threats, malware and ransomware are clear and present danger threats to American businesses and way of life.

This week, Americans wake-up to dire warnings from the federal government in Washington to growing cyber threats and malware from Russia. The federal government warns American citizens, organizations and businesses to enhance their cyber vigilance and security in preparation of cyber attacks originating from Russia targeting critical information and infrastructure.

The latest cybersecurity threats are taking advantage of pandemic induced work-from-home environments, remote access tools, and new cloud services. According to CISA, these evolving cybersecurity threats include:

  • Malware — malicious software variants—such as worms, viruses, Trojans, and spyware—that provide unauthorized access or cause damage to a computer. Malware attacks are increasingly “fileless” and designed to get around familiar detection methods, such as antivirus tools, that scan for malicious file attachments.
  • Ransomware — a type of malware that locks down files, data or systems, and threatens to erase or destroy the data – or make private or sensitive data to the public – unless a ransom is paid to the cybercriminals who launched the attack. Recent ransomware attacks have targeted state and local governments, which are easier to breach than organizations and under pressure to pay ransoms in order to restore applications and web sites on which citizens rely.
  • Phishing / social engineering — a form of social engineering that tricks users into providing their own sensitive information. In phishing scams, emails or text messages appear to be from a known individual or legitimate company asking for sensitive information, such as credit card data or login information. The FBI has noted about a surge in pandemic-related phishing, tied to the growth of remote work.
  • Insider threats — Current or former employees, business partners, contractors, or anyone who has had access to systems or networks in the past can be considered an insider threat if they abuse their access permissions. Insider threats can be invisible to traditional security solutions like firewalls and intrusion detection systems, which focus on external threats.
  • Distributed denial-of-service (DDoS) attacks — attempts to crash a server, website or network by overloading it with traffic, usually from multiple coordinated systems. DDoS attacks overwhelm enterprise networks via the simple network management protocol (SNMP), used for modems, printers, switches, routers, and servers.
  • Advanced persistent threats (APTs) — an intruder or group of intruders infiltrate a system and remain undetected for an extended period. The intruder leaves networks and systems intact so that the intruder can spy on business activity and steal sensitive data while avoiding the activation of defensive countermeasures. The recent Solar Winds breach of United States government systems is an example of an APT.
  • Man-in-the-middle attacks — an eavesdropping attack, where a cybercriminal intercepts and relays messages between two parties in order to steal data. For example, on an unsecure Wi-Fi network, an attacker can intercept data being passed between guest’s device and the network.

A majority of Americans have moved their financial and daily lives online, and thus are more susceptible than ever to of cyber crime, malware and ransomware attacks.

As you might image, today’s world is more interconnected than ever before. Yet, for all its advantages, increased connectivity brings increased risk of theft, fraud, and abuse.

As Americans become more reliant on modern technology, we also become more vulnerable to cyberattacks and cybercrimes.

Every organization—large and small—must be prepared to respond to cybercrime and disruptive cyber incidents, explains the Cybersecurity and Infrastructure Security Agency (CISA). CISA leads the national effort to understand, manage, and reduce risk to our cyber and physical infrastructure.

CISA recommends all individuals and organizations—regardless of size—adopt a heightened posture when it comes to cybersecurity and protecting their most critical assets, like a “zero trust strategy”.

A zero trust strategy assumes compromise and sets up controls to validate every user, device and connection into the business for authenticity and purpose. To be successful executing a zero trust strategy, organizations need a way to combine security information in order to generate the context (device security, location, etc.) that informs and enforces validation controls.


References:

  1. https://www.ibm.com/topics/cybersecurity
  2. https://www.cisa.gov/shields-up

Keep Yourself Cyber Safe

Every American can take simple steps to improve their cybersecurity and protect themselves while online.

As the nation’s cyber defense agency, Cybersecurity and Infrastructure Security Agency (CISA) stands ready to help individuals and organizations prepare for, respond to, and mitigate the impact of cyberattacks and cybercrime.

Currently, CISA recommends all individuals, organizations and businesses —regardless of size—adopt a heightened posture when it comes to cybersecurity and protecting their most critical information and assets.

Every American can take several simple steps to improve their cybersecurity and protect themselves while online. In fact there are 5 things you can do to keep yourself cyber safe. CISA urges everyone to practice the following: 

  • Implement multi-factor authentication (MFA) on your accounts. A password isn’t enough to keep you safe online. By implementing a second layer of identification, like a confirmation text message or email, a code from an authentication app, a fingerprint or Face ID, or best yet, a FIDO key,  you’re giving your bank, email provider, or any other site you’re logging into the confidence that it really is you. Multi-factor authentication can make you 99% less likely to get hacked. So enable multi-factor authentication on your email, social media, online shopping, financial services accounts. And don’t forget your gaming and streaming entertainment services!   
  • Update your software. In fact, turn on automatic updates.   Bad actors will exploit flaws in the system. Update the operating system on your mobile phones, tablets, and laptops.  And update your applications – especially the web browsers – on all your devices too.   Leverage automatic updates for all devices, applications, and operating systems. 
  • Think before you click. More than 90% of successful cyber-attacks start with a phishing email.  A phishing scheme is when a link or webpage looks legitimate, but it’s a trick designed by bad actors to have you reveal your passwords, social security number, credit card numbers, or other sensitive information. Once they have that information, they can use it on legitimate sites. And they may try to get you to run malicious software, also known as malware.  If it’s a link you don’t recognize, trust your instincts, and think before you click. 
  • Use strong passwords, and ideally a password manager to generate and store unique passwords.  Our world is increasingly digital and increasingly interconnected. So, while we must protect ourselves, it’s going to take all of us to really protect the systems we all rely on. 
  • Halt bad practices. Take immediate steps to: (1) replace end-of-life software products that no longer receive software updates; (2) replace any system or products that rely on known/default/unchangeable passwords; and (3) adopt MFA for remote or administrative access to important systems, resources, or databases.

Americans should prepared themselves to respond to cybercrime and to disruptive cyber activity. CISA encourages everyone to put their “Shields Up” and take proactive steps to protect against active and future cyber threats. 


References:

  1. https://www.cisa.gov/shields-up
  2. https://www.cisa.gov/free-cybersecurity-services-and-tools